Evernote Hacked – ALL Users Required To Reset Passwords


The big news in the past week or so was the Evernote hack, being a user of Evernote I was interested by this one – it seems to be a pretty pervasive hack with user IDs and e-mail addresses being leaked.

Thankfully the passwords are salted hashes, so it’s unlikely they’ll get brute forced any time soon. As a precaution, Evernote forced a password reset on its entire userbase.

Evernote has joined the growing list of companies whose cloud-based services have suffered a serious security breach, announcing over the weekend that it had implemented a service-wide password reset after attackers accessed user information.

Happily, the company’s announcement notes, the passwords accessed were salted hashes, which should mean they last longer than the passwords lifted from the Australian Broadcasting Corporation recently.

The user information accessed by the attackers also included user Ids and e-mail addresses.

Evernote joins the ranks of numerous other large companies which have been hacked recently (including Apple, Facebook & others compromised by the Java exploit).

I’m wondering if there’s some serious service based 0-day exploit out there people are leveraging (Apache? nginx? MySQL?) or something else perhaps.


All Evernote users were required to reset their passwords in case the attackers are able to recover passwords from the salted hashed list. The password reset will apply not only to Evernote logins, but to all apps that users have given access to their Evernote accounts.

Other major names to be hit in recent attacks include Apple, Facebook, Twitter and Microsoft, with a Java zero-day behind most of the vulnerabilities.

The company says the attack “appears to have been a coordinated attempt to access secure areas of the Evernote Service”.

The usual suggestion, that users choose strong passwords that they don’t re-use, will no doubt be ignored by a small-but-significant number of Evernote’s customers.

Evernote suggests that no user data was leaked, which is good as people tend to store pretty important information in the app (Bank account details, passport scans etc). There is a chance that they got caught out by the Java bug too – but that seems unlikely.

I wonder which is the next big powerhouse that’s going to go down to a hack attack, I’m hoping by now everyone in the cloud has sane architecture and strong password storage implementations.

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


One Response to Evernote Hacked – ALL Users Required To Reset Passwords

  1. Toby Windsor March 21, 2013 at 5:07 pm #

    Very worrying when large companies like this get hacked, makes you wonder if any computer worldwide that is attached to a cable can somehow be tapped into from anywhere.